Details

HEATsoftware has determined that the antivirus (AV) definitions file released at approximately 3:22am EST/8:22am GMT on Friday, May 10th (AV Definition 7.1.1368158442 created on 10 May 2013 05:00:42) included a signature with a false positive detection. If you are running Windows XP x86 and have applied the MS13-036 Patch, you may experience a false positive. This issue only affects XP x86. It does not affect XP x64 or Windows Server 2003.

IMPORTANT: Do not shut down or restart any Windows XP x86 systems which may be affected.

Please check your AntiVirus Alert logs for the virus winpe/Tedroo.Z with the infected file listed as win32k.sys; this is the false positive detection.

HEATsoftware released an updated definition file (v7.1.1368173351 created on 10 May 2013 09:09:11) at 6:24am EST/11:24am GMT on Friday, May 10th. It is important that you check to see that the AV definition file on your L.E.M.S.S. server is v7.1.1368173351 or higher. If it is not, please follow the steps below to ensure that you have implemented the latest definition file before running any scans.

IMPACT

Endpoints that received the problem AV definition (v7.1.1368158442), and have Real Time Monitoring and/or Recurring Scans that have occurred using this AV definition file, may see a virus entry in their Virus Alerts for winpe/Tedroo.Z. If this virus entry is in the logs and the infected file is listed as win32k.sys, then a critical system file, win32k.sys, has been affected.

If your “When a virus is detected” setting in your Real Time Monitoring or Recurring AV Scan policy is configured to “Attempt to clean, then quarantine, then delete,” a critical system file may be in the endpoint quarantine as a result of the false positive detection. You MUST restore from quarantine prior to system reboot to avoid further problems. If the system has been rebooted, you must follow the recovery instructions below.

If your “When a virus is detected” setting in your Real Time Monitoring or Recurring AV Scan policy is configured to “Attempt to clean, then delete,” a critical system file may be deleted from your system as a result of the false positive detection. If the file is deleted, you must follow the recovery instructions below.

CURRENT STATUS

An updated AV definition file was released at approximately 6:24am EST/11:24am GMT on Friday, May 10th (v7.1.1368173351 created on 10 May 2013 09:09:11) that eliminates this false positive detection. Endpoints that receive this updated AV definition file, or newer versions, and have not yet been affected, will not experience this false positive issue. Please validate there was no interim effect which must be mitigated by checking your Virus Alerts.

To check the AV definition file version on your endpoints, first go to ‘Manage’ > ‘Endpoints’ and select the ‘AntiVirus’ tab. Sort using the ‘AV Definition Version’ column. We recommend that you disable ‘Scheduled Scan’ until the AV definition files have been updated.

Please review Real Time Monitoring and Recurring Scan policies for the “When a virus is detected” setting. HEATsoftware highly recommends that you select a setting of “Attempt to clean, then quarantine” (the default).

To identify the endpoints that require mitigation, please check the virus alerts by navigating to ‘Review’ > ‘Virus and Malware Event Alerts’. You can filter this view by entering winpe/Tedroo.Z in the ‘Virus or malware name’ filter and clicking on the ‘Update View’ button.

MITIGATION

Customers who have their settings for Quarantine and have not rebooted the endpoint can restore the files from quarantine and avoid further impact.

Mitigation for systems that have not been shut down or restarted:

Validate your AV defs are at 7.1.1368173351 or higher

Review quarantine files looking for two (2) files:

C:\Windows\system32\win32k.sys

C:\Windows\system32\dllcache\win32k.sys

Restore both win32k.sys file from quarantine

Customers who have their settings for Quarantine, but have shut down or restarted the endpoint will be in a bad state and will have to restore the OS.

Mitigation if the win32k.sys is in quarantine and the systems have been shut down or restarted:

Update the L.E.M.S.S. server’s definitions to 7.1.1368173351 or higher

Boot from MS Vista or post-Vista OS CD

Click on the repair your computer option > Next > Open command Prompt

Copy the win32k.sys from quarantine (e.g., C:\Documents and Settings\All Users\Application Data\HEATsoftware\LMAgent\Data\persist\AV\quarantine\win32k.sys ) to C:\Windows\System32\ and C:\Windows\System32\dllCache\